Cybersecurity Foundations – Acceptable Use Policy
OR You Didn’t Say I Couldn’t Do It
Cybersecurity, or security of any kind, is a vast and sometimes complicated orchestra of different technologies, departments, budgets, people, and policies. To someone unfamiliar, it can be similar to standing at the base of Mount Everest with a secure environment at the summit. How can you possibly get there? The Acceptable Use Policy is the legal teeth between an organization’s resources and users.
Users of the resources can be consumers in the form of an End-User License Agreement (EULA), vendors, employees, stockholders, visitors, or anyone that interacts with your resources. We will focus on Information Technology (IT) resources as they are by far the most often misused. However, every resource, whether a company vehicle or mop, should have an Acceptable Use Policy. No, I’m not joking.
What Is It? – The Acceptable Use Policy (AUP), in its most simple form, is a legally binding agreement between the organization and anyone who interacts with IT resources. It should 1) explicitly identify what resources are provided for use, 2) define who is allowed to utilize those resources, and 3) explain what actions are and are not allowed. To keep the document simple and prevent it from becoming an encyclopedia set, it should refer to other policies that change over time, such as an Internet Usage Policy or Mobile Phone Data Protection Policy.
Why Do I Need It? – Legal counsel will say if you don’t tell people what they can and can’t do, they aren’t liable for the damages. Remember the person who was awarded millions because she didn’t know coffee was hot? Yeah, that’s where we are legally in the United States. One person noted that motorcycle user manuals were used to provide details on how to tune engine valves. Now it tells people not to drink the contents of the battery. A recent chainsaw manual shows the following picture that sums up the lack of common sense.
What I Got – Any organization with a Human Resources department likely has some type of Acceptable Use Policy (AUP) in place. This is typically included in the employee handbook, and new employees are required to sign, legally confirming they have received, read, and agree with the policy. If you don’t have one, creating and implementing one should be the first thing you do…after reading this!
Banners – You know those annoying legal banners that show up on your computer when you try to log in? Those are other forms of AUP that should be on every IT device to create defense-in-depth. By forcing potential users to read and implicitly agree to the policy by logging in, the organization protects itself from data breaches. Too many hackers’ charges were dropped because no one told them they couldn’t log into a system and freely take data.
Keep It Fresh – Policy should be reviewed and refreshed at least annually. This means that management and IT policymakers must be familiar with current trends and threats, both technical and legal, to avoid loopholes. Even if policies do not materially change, users must be presented with the agreements again and reaffirm their receipt, digestion, and acceptance of the policy. This means every year or two, all AUPs must be re-read, and users must legally accept, even if it hasn’t changed. Work with your legal counsel on the best frequency and mode of distribution.
Don’t Be Randy – Here are a few real-world examples of why you need an AUP. Randy works for a company with no AUP. He is moonlighting using his corporate laptop for the competition. He views pornography at work. As part of his activities, he also dabbles in hacking. Suddenly, the entire system is either compromised, corporate records are stolen, or Ransomware locks the system down. Digital forensics proves Randy is the source, whether malicious or ignorant. You can’t fire Randy or hold him accountable because you never told him he couldn’t do any of those things. The courts will say you brought this on yourself!
Mopping Up – Now, let’s take the conversation down a general path. Remember the corporate mop? What if your janitor decides to use the mop as a weapon? Or does he decides to take it home and use it there? Besides the legal ramifications and lack of compensation, not setting boundaries with resources will create divisions between employees and departments.
Required By Insurance – The good news is that most insurance companies providing cybersecurity policies require organizations to have written policies in place. Some are more specific and clearer than others. Best option is to speak with your legal counsel as I am not an attorney, nor do I know the laws in your jurisdiction.
Is It The Primary Policy? – No, you should already have created organizational policies that govern how your company operates and what is expected of everyone. Plus, there are several other policies, as mentioned, that complement the AUP. We will discuss some of those in detail in future blog posts.
Generation Without Skills – Studies find that certain generations simply do not have the same level of computer skills, aptitude, or attention span as others. Baby Boomers are, no surprise, not as adept with computers as they didn’t experience them in the workforce until later in their careers. Gen-X and Millennials grew up with computer technology. Gen-Z, on the other hand, is a mobile culture with little interaction on a standard business computer. Add to that their notoriously short attention spans, eight seconds according to studies, and keeping them “on the bull” at work may prove challenging. Of course, thanks to social media and hundreds of other distractions online, the AUP is imperative for everyone.
When did your job become Cat Herder? The legal requirements to keep an organization safe from cyber threats, both internal and external, can feel like a losing battle. But, organizations need to understand and seriously protect themselves from the ground up. It WILL happen to you. You are never too small or insignificant in the business world to not be shoved out of business by a cybersecurity incident. Take the time and expense to work with legal and technical experts, or you, Randy, and your janitor may all be looking for new jobs together.
Congratulations! You are on your way up the mountain to a secure IT environment!